heroku-bouncer 0.4.0.pre → 0.4.0.pre2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f43138f01404ab7e324200582dfb741e4eaaccdd
-  data.tar.gz: 066eb52d989918961505cd21f760b7421a3fd40d
+  metadata.gz: 251889f5d6ea897a0ff12014d09e83ecc1daec83
+  data.tar.gz: 35458dfffc28c61a9b1ec3391a38039308a81840
 SHA512:
-  metadata.gz: f9b41150e950a3f5342d5f909197f38c7896a240a2e384b28e470d1217c600586a9631e5735fe1e5bf65eb3c50363f83190b03df507f985f551780707fde1cf0
-  data.tar.gz: c12572fc71cb948758547a3580e73bb0393cb75479f6e64eb6b514b54ee9997185ac511955e8dd381917eebc33cbb298ebc2032c1a192a9f380cc5dc2aab1cae
+  metadata.gz: c8f8233a0789b6be629ed528ff9d7e6b0529bf6c3a93ae16b673ba54538383655f793989d785a4dadf1b8c25052a7ba9dabb9cdcd662a9129d2c8cdc5eef6271
+  data.tar.gz: cda090b0f6ce0803f1981d318f0ca02bd2dbf04362c18ee6603523d864efeccf696268a9db59c673867306585bb24038412dff9b7da81f1f49b0bd90cfa06629

data/README.md

@@ -25,10 +25,7 @@ Sinatra app that uses heroku-bouncer.
     heroku clients:register myapp https://myapp.herokuapp.com/auth/heroku/callback
     ```
 
-3. Set `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` in your environment.
-4. Set the `COOKIE_SECRET` environment variable to a long random string.
-   Otherwise, the OAuth ID and secret are concatenated for use as a secret.
-5. Use the middleware as follows:
+3. Configure the middleware as follows:
 
     **Rack**
 
@@ -69,10 +66,29 @@ Sinatra app that uses heroku-bouncer.
     config.middleware.use ::Heroku::Bouncer
     ```
 
-## Options
+4. Add the required options `:oauth` and `:secret` as explained
+   below.
 
-There are 4 boolean options you can pass to the middleware:
+## Settings
 
+Two settings are **required**:
+
+* `oauth`: Your OAuth credentials as a hash - `:id` and `:secret`.
+* `secret`: A random string used as an encryption secret used to secure
+  the user information in the session.
+
+For example:
+
+```ruby
+use Heroku::Bouncer,
+  oauth: { id: "...", secret: "..." },
+  secret: "..."
+```
+
+There are 5 options you can pass to the middleware:
+
+* `oauth[:scope]`: The [OAuth scope][] to use when requesting the OAuth
+  token. Default: `identity`.
 * `herokai_only`: Automatically redirects non-Heroku accounts to
   `www.heroku.com`. Alternatively, pass a valid URL and non-Herokai will
   be redirected there. Default: `false`
@@ -86,7 +102,10 @@ There are 4 boolean options you can pass to the middleware:
 You use these by passing a hash to the `use` call, for example:
 
 ```ruby
-use Heroku::Bouncer, expose_token: true
+use Heroku::Bouncer,
+  oauth: { id: "...", secret: "...", scope: "global" },
+  secret: "...",
+  expose_token: true
 ```
 
 ## How to get the data
@@ -125,12 +144,15 @@ logging in again.
 ## Conditionally enable the middleware
 
 Don't want to OAuth on every request? Use a middleware to conditionally
-enable this middleware, like
-[Rack::Builder](http://rack.rubyforge.org/doc/Rack/Builder.html).
+enable this middleware, like [Rack::Builder][].
 Alternatively, [use inheritance to extend the middleware to act any way
-you like](https://gist.github.com/wuputah/5534428).
+you like][inheritance].
 
 ## There be dragons
 
 * There's no tests yet. You may encounter bugs. Please report them (or
   fix them in a pull request).
+
+[OAuth scope]: https://devcenter.heroku.com/articles/oauth#scopes
+[Rack::Builder]: http://rack.rubyforge.org/doc/Rack/Builder.html
+[inheritance]: https://gist.github.com/wuputah/5534428

data/lib/heroku/bouncer/builder.rb

@@ -0,0 +1,53 @@
+require 'heroku/bouncer/middleware'
+require 'rack/builder'
+require 'omniauth-heroku'
+
+class Heroku::Bouncer::Builder
+
+  def self.new(app, options = {})
+    builder = Rack::Builder.new
+    id, secret, scope = extract_options!(options)
+    unless id.empty? || secret.empty?
+      builder.use OmniAuth::Builder do
+        provider :heroku, id, secret, :scope => scope
+      end
+    end
+    builder.run Heroku::Bouncer::Middleware.new(app, options)
+    builder
+  end
+
+  def self.extract_options!(options)
+    oauth = options.delete(:oauth) || {}
+    id = oauth.delete(:id)
+    secret = oauth.delete(:secret)
+    scope = oauth.delete(:scope) || 'identity'
+
+    if id.nil? && (ENV.has_key?('HEROKU_ID') || ENV.has_key?('HEROKU_OAUTH_ID'))
+      $stderr.puts "[warn] heroku-bouncer: HEROKU_ID or HEROKU_OAUTH_ID detected in environment, please pass in :oauth hash instead"
+      id = ENV['HEROKU_OAUTH_ID'] || ENV['HEROKU_ID']
+    end
+
+    if secret.nil? && (ENV.has_key?('HEROKU_SECRET') || ENV.has_key?('HEROKU_OAUTH_SECRET'))
+      $stderr.puts "[warn] heroku-bouncer: HEROKU_SECRET or HEROKU_OAUTH_SECRET detected in environment, please pass in :oauth hash instead"
+      secret = ENV['HEROKU_OAUTH_SECRET'] || ENV['HEROKU_SECRET']
+    end
+
+    if id.nil? || secret.nil?
+      $stderr.puts "[fatal] heroku-bouncer: HEROKU_OAUTH_ID or HEROKU_OAUTH_SECRET not set, middleware disabled"
+      options[:disabled] = true
+    end
+
+    # we have to do this here because we wont have id+secret later
+    if options[:secret].nil?
+      if ENV.has_key?('COOKIE_SECRET')
+        $stderr.puts "[warn] heroku-bouncer: COOKIE_SECRET detected in environment, please pass in :secret instead"
+        options[:secret] = ENV['COOKIE_SECRET']
+      else
+        $stderr.puts "[warn] heroku-bouncer: :secret is missing, using id + secret"
+        options[:secret] = id.to_s + secret.to_s
+      end
+    end
+
+    [id, secret, scope]
+  end
+end

data/lib/heroku/bouncer/decrypted_hash.rb

@@ -0,0 +1,38 @@
+require 'heroku/bouncer/lockbox'
+
+# Encapsulates encrypting and decrypting a hash of data. Does not store the
+# key that is passed in.
+class Heroku::Bouncer::DecryptedHash < Hash
+
+  Lockbox = ::Heroku::Bouncer::Lockbox
+
+  def initialize(decrypted_hash = nil)
+    super
+    replace(decrypted_hash) if decrypted_hash
+  end
+
+  def self.unlock(data, key)
+    if data && data = Lockbox.new(key).unlock(data)
+      data, digest = data.split("--")
+      if digest == Lockbox.generate_hmac(data, key)
+        data = data.unpack('m*').first
+        data = Marshal.load(data)
+        new(data)
+      else
+        new
+      end
+    else
+      new
+    end
+  end
+
+  def lock(key)
+    # marshal a Hash, not a DecryptedHash
+    data = {}.replace(self)
+    data = Marshal.dump(data)
+    data = [data].pack('m*')
+    data = "#{data}--#{Lockbox.generate_hmac(data, key)}"
+    Lockbox.new(key).lock(data)
+  end
+
+end

data/lib/heroku/bouncer/json_parser.rb

@@ -0,0 +1,18 @@
+# json parsers, all the way down
+Heroku::Bouncer::JsonParser = begin
+  require 'oj'
+  lambda { |json| Oj.load(json, :mode => :strict) }
+rescue LoadError
+  begin
+    require 'yajl'
+    lambda { |json| Yajl::Parser.parse(json) }
+  rescue LoadError
+    begin
+      require 'multi_json'
+      lambda { |json| MultiJson.decode(json) }
+    rescue LoadError
+      require 'json'
+      lambda { |json| JSON.parse(json) }
+    end
+  end
+end

data/lib/heroku/bouncer/lockbox.rb

@@ -0,0 +1,40 @@
+require 'openssl'
+
+class Heroku::Bouncer::Lockbox < BasicObject
+
+  def initialize(key)
+    @key = key
+  end
+
+  def lock(str)
+    aes = ::OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt
+    aes.key = @key
+    iv = ::OpenSSL::Random.random_bytes(aes.iv_len)
+    aes.iv = iv
+    [iv + (aes.update(str) << aes.final)].pack('m0')
+  end
+
+  # decrypts string. returns nil if an error occurs
+  #
+  # returns nil if openssl raises an error during decryption (data
+  # manipulation, key change, implementation change), or if the text to
+  # decrypt is too short to possibly be good aes data.
+  def unlock(str)
+    str = str.unpack('m0').first
+    aes = ::OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
+    aes.key = @key
+    iv = str[0, aes.iv_len]
+    aes.iv = iv
+    crypted_text = str[aes.iv_len..-1]
+    return nil if crypted_text.nil? || iv.nil?
+    aes.update(crypted_text) << aes.final
+  rescue
+    nil
+  end
+
+private
+
+  def self.generate_hmac(data, key)
+    ::OpenSSL::HMAC.hexdigest(::OpenSSL::Digest::SHA1.new, key, data)
+  end
+end

data/lib/heroku/bouncer/middleware.rb

@@ -0,0 +1,144 @@
+require 'sinatra/base'
+require 'faraday'
+require 'securerandom'
+
+require 'heroku/bouncer/json_parser'
+require 'heroku/bouncer/decrypted_hash'
+
+class Heroku::Bouncer::Middleware < Sinatra::Base
+
+  DecryptedHash = ::Heroku::Bouncer::DecryptedHash
+
+  enable :raise_errors
+  disable :show_exceptions
+
+  def initialize(app, options = {})
+    if options[:disabled]
+      @app = app
+      @disabled = true
+      # super is not called; we're not using sinatra if we're disabled
+    else
+      super(app)
+      @cookie_secret = extract_option(options, :secret, SecureRandom.base64(32))
+      @herokai_only = extract_option(options, :herokai_only, false)
+      @expose_token = extract_option(options, :expose_token, false)
+      @expose_email = extract_option(options, :expose_email, true)
+      @expose_user = extract_option(options, :expose_user, true)
+    end
+  end
+
+  def call(env)
+    if @disabled
+      @app.call(env)
+    else
+      unlock_session_data(env) do
+        super(env)
+      end
+    end
+  end
+
+  def unlock_session_data(env, &block)
+    decrypt_store(env)
+    return_value = yield
+    encrypt_store(env)
+    return_value
+  end
+
+  before do
+    if store_read(:user)
+      expose_store
+    elsif ! %w[/auth/heroku/callback /auth/heroku /auth/failure /auth/sso-logout /auth/logout].include?(request.path)
+      store_write(:return_to, request.url)
+      redirect to('/auth/heroku')
+    end
+  end
+
+  # callback when successful, time to save data
+  get '/auth/heroku/callback' do
+    token = request.env['omniauth.auth']['credentials']['token']
+    if @expose_email || @expose_user || @herokai_only
+      user = fetch_user(token)
+      if @herokai_only && !user['email'].end_with?("@heroku.com")
+        url = @herokai_only.is_a?(String) ? @herokai_only : 'https://www.heroku.com'
+        redirect to(url) and return
+      end
+      @expose_user ? store_write(:user, user) : store_write(:user, true)
+      store_write(:email, user['email']) if @expose_email
+    else
+      store_write(:user, true)
+    end
+
+    store_write(:token, token) if @expose_token
+    redirect to(store_delete(:return_to) || '/')
+  end
+
+  # something went wrong
+  get '/auth/failure' do
+    destroy_session
+    redirect to("/")
+  end
+
+  # logout, single sign-on style
+  get '/auth/sso-logout' do
+    destroy_session
+    auth_url = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
+    redirect to("#{auth_url}/logout")
+  end
+
+  # logout but only locally
+  get '/auth/logout' do
+    destroy_session
+    redirect to("/")
+  end
+
+private
+
+  def extract_option(options, option, default = nil)
+    options.has_key?(option) ? options[option] : default
+  end
+
+  def fetch_user(token)
+    ::Heroku::Bouncer::JsonParser.call(
+      Faraday.new(ENV["HEROKU_API_URL"] || "https://api.heroku.com/").get('/account') do |r|
+        r.headers['Accept'] = 'application/json'
+        r.headers['Authorization'] = "Bearer #{token}"
+      end.body)
+  end
+
+  def decrypt_store(env)
+    env["rack.session"][:bouncer] =
+      DecryptedHash.unlock(env["rack.session"][:bouncer], @cookie_secret)
+  end
+
+  def encrypt_store(env)
+    env["rack.session"][:bouncer] =
+      env["rack.session"][:bouncer].lock(@cookie_secret)
+  end
+
+  def store
+    session[:bouncer]
+  end
+
+  def store_write(key, value)
+    store[key] = value
+  end
+
+  def store_read(key)
+    store.fetch(key, nil)
+  end
+
+  def store_delete(key)
+    store.delete(key)
+  end
+
+  def destroy_session
+    session = nil if session
+  end
+
+  def expose_store
+    store.each_pair do |key, value|
+      request.env["bouncer.#{key}"] = value
+    end
+  end
+
+end

data/lib/heroku/bouncer.rb

@@ -1,234 +1,10 @@
-require 'sinatra/base'
-require 'omniauth-heroku'
-require 'faraday'
-require 'multi_json'
-require 'openssl'
-
-unless defined?(Heroku)
-  module Heroku; end
-end
-
-class Heroku::Bouncer < Sinatra::Base
-
-  $stderr.puts "[warn] heroku-bouncer: HEROKU_ID detected, please use HEROKU_OAUTH_ID instead" if ENV.has_key?('HEROKU_ID')
-  $stderr.puts "[warn] heroku-bouncer: HEROKU_SECRET detected, please use HEROKU_OAUTH_SECRET instead" if ENV.has_key?('HEROKU_SECRET')
-
-  ID            = (ENV['HEROKU_OAUTH_ID'] || ENV['HEROKU_ID']).to_s
-  SECRET        = (ENV['HEROKU_OAUTH_SECRET'] ||  ENV['HEROKU_SECRET']).to_s
-  COOKIE_SECRET = (ENV['COOKIE_SECRET'] || (ID + SECRET)).to_s
-
-  enable :raise_errors
-  disable :show_exceptions
-
-  # sets up the /auth/heroku endpoint
-  unless ID.empty? || SECRET.empty?
-    use OmniAuth::Builder do
-      provider :heroku, ID, SECRET
-    end
-  end
-
-  def initialize(app, options = {})
-    if ID.empty? || SECRET.empty?
-      $stderr.puts "[fatal] heroku-bouncer: HEROKU_OAUTH_ID or HEROKU_OAUTH_SECRET not set, middleware disabled"
-      @app = app
-      @disabled = true
-      # super is not called; we're not using sinatra if we're disabled
-    else
-      super(app)
-      @herokai_only = extract_option(options, :herokai_only, false)
-      @expose_token = extract_option(options, :expose_token, false)
-      @expose_email = extract_option(options, :expose_email, true)
-      @expose_user = extract_option(options, :expose_user, true)
+# define Heroku and Heroku::Bouncer
+module Heroku
+  class Bouncer
+    def self.new(*args)
+      Heroku::Bouncer::Builder.new(*args)
     end
   end
-
-  def call(env)
-    if @disabled
-      @app.call(env)
-    else
-      unlock_session_data(env) do
-        super(env)
-      end
-    end
-  end
-
-  def unlock_session_data(env, &block)
-    decrypt_store(env)
-    return_value = yield
-    encrypt_store(env)
-    return_value
-  end
-
-  before do
-    if store_read(:user)
-      expose_store
-    elsif ! %w[/auth/heroku/callback /auth/heroku /auth/failure /auth/sso-logout /auth/logout].include?(request.path)
-      store_write(:return_to, request.url)
-      redirect to('/auth/heroku')
-    end
-  end
-
-  # callback when successful, time to save data
-  get '/auth/heroku/callback' do
-    token = request.env['omniauth.auth']['credentials']['token']
-    if @expose_email || @expose_user || @herokai_only
-      user = fetch_user(token)
-      if @herokai_only && !user['email'].end_with?("@heroku.com")
-        url = @herokai_only.is_a?(String) ? @herokai_only : 'https://www.heroku.com'
-        redirect to(url) and return
-      end
-      @expose_user ? store_write(:user, user) : store_write(:user, true)
-      store_write(:email, user['email']) if @expose_email
-    else
-      store_write(:user, true)
-    end
-
-    store_write(:token, token) if @expose_token
-    redirect to(store_delete(:return_to) || '/')
-  end
-
-  # something went wrong
-  get '/auth/failure' do
-    destroy_session
-    redirect to("/")
-  end
-
-  # logout, single sign-on style
-  get '/auth/sso-logout' do
-    destroy_session
-    auth_url = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
-    redirect to("#{auth_url}/logout")
-  end
-
-  # logout but only locally
-  get '/auth/logout' do
-    destroy_session
-    redirect to("/")
-  end
-
-  # Encapsulates encrypting and decrypting a hash of data. Does not store the
-  # key that is passed in.
-  class DecryptedHash < Hash
-
-    def initialize(decrypted_hash = nil)
-      super
-      replace(decrypted_hash) if decrypted_hash
-    end
-
-    def self.unlock(data, key)
-      if data && data = Lockbox.new(key).unlock(data)
-        data, digest = data.split("--")
-        if digest == Lockbox.generate_hmac(data, key)
-          data = data.unpack('m*').first
-          data = Marshal.load(data)
-          new(data)
-        else
-          new
-        end
-      else
-        new
-      end
-    end
-
-    def lock(key)
-      # marshal a Hash, not a DecryptedHash
-      data = {}.replace(self)
-      data = Marshal.dump(data)
-      data = [data].pack('m*')
-      data = "#{data}--#{Lockbox.generate_hmac(data, key)}"
-      Lockbox.new(key).lock(data)
-    end
-
-  end
-
-  class Lockbox < BasicObject
-
-    def initialize(key)
-      @key = key
-    end
-
-    def lock(str)
-      aes = ::OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt
-      aes.key = @key
-      iv = ::OpenSSL::Random.random_bytes(aes.iv_len)
-      aes.iv = iv
-      [iv + (aes.update(str) << aes.final)].pack('m0')
-    end
-
-    # decrypts string. returns nil if an error occurs
-    #
-    # returns nil if openssl raises an error during decryption (data
-    # manipulation, key change, implementation change), or if the text to
-    # decrypt is too short to possibly be good aes data.
-    def unlock(str)
-      str = str.unpack('m0').first
-      aes = ::OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
-      aes.key = @key
-      iv = str[0, aes.iv_len]
-      aes.iv = iv
-      crypted_text = str[aes.iv_len..-1]
-      return nil if crypted_text.nil? || iv.nil?
-      aes.update(crypted_text) << aes.final
-    rescue
-      nil
-    end
-
-  private
-
-    def self.generate_hmac(data, key)
-      ::OpenSSL::HMAC.hexdigest(::OpenSSL::Digest::SHA1.new, key, data)
-    end
-  end
-
-private
-
-  def decrypt_store(env)
-    env["rack.session"][:bouncer] =
-      DecryptedHash.unlock(env["rack.session"][:bouncer], COOKIE_SECRET)
-  end
-
-  def encrypt_store(env)
-    env["rack.session"][:bouncer] =
-      env["rack.session"][:bouncer].lock(COOKIE_SECRET)
-  end
-
-  def extract_option(options, option, default = nil)
-    options.has_key?(option) ? options[option] : default
-  end
-
-  def fetch_user(token)
-    MultiJson.decode(
-      Faraday.new(ENV["HEROKU_API_URL"] || "https://api.heroku.com/").get('/account') do |r|
-        r.headers['Accept'] = 'application/json'
-        r.headers['Authorization'] = "Bearer #{token}"
-      end.body)
-  end
-
-  def store
-    session[:bouncer]
-  end
-
-  def store_write(key, value)
-    store[key] = value
-  end
-
-  def store_read(key)
-    store.fetch(key, nil)
-  end
-
-  def store_delete(key)
-    store.delete(key)
-  end
-
-  def destroy_session
-    session = nil if session
-  end
-
-  def expose_store
-    store.each_pair do |key, value|
-      request.env["bouncer.#{key}"] = value
-    end
-  end
-
-
 end
+
+require 'heroku/bouncer/builder'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heroku-bouncer
 version: !ruby/object:Gem::Version
-  version: 0.4.0.pre
+  version: 0.4.0.pre2
 platform: ruby
 authors:
 - Jonathan Dance
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-25 00:00:00.000000000 Z
+date: 2013-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-heroku
@@ -53,7 +53,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.8'
 - !ruby/object:Gem::Dependency
-  name: multi_json
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
@@ -89,6 +89,11 @@ extra_rdoc_files:
 - README.md
 files:
 - lib/heroku/bouncer.rb
+- lib/heroku/bouncer/decrypted_hash.rb
+- lib/heroku/bouncer/lockbox.rb
+- lib/heroku/bouncer/json_parser.rb
+- lib/heroku/bouncer/builder.rb
+- lib/heroku/bouncer/middleware.rb
 - README.md
 - Gemfile
 - Gemfile.lock